28 March 2012
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
EU
The “principle of availability” takes over from the
“notion of privacy”: what price data protection?
The
Hague Programme adopted at the EU Summit on 5 November 2004 says
that from 1 January 2008 the "principle of availability"
- which simply means if data is held then it can be shared between
law enforcement agencies - will become the guiding light for
access to personal data held by national law enforcement agencies
in other EU member states.
The European Commission is charged with preparing a proposal
to implement "the principles of availability" including
the following key conditions:
1) exchange of data can only take place so that "legal
tasks may be performed" - "legal tasks" is extremely
broad definition and is clearly intended to extend beyond gathering
evidence for presentation in a specified court case, eg: investigations
and surveillance;
2) "the need to protect source of information";
3) "individuals must be protected from abuse of data and
have the right to seek correction of incorrect data"
But how will individuals be able to correct law enforcement agencies'
files unless they are given full access to them and know who
has accessed their data and how it has been used?
The Hague Programme says that "new technology" must
be fully employed and the means of "exchange" of personal
data between agencies could be through:
a) "reciprocal access to... national databases"
b) "the interoperability of... national databases"
(all agencies have access to each others data)
c) "direct online access.. to existing central EU databases
such as the SIS"
European Data Protection Commissioners
On 14 September 2004 the European Data Protection Commissioners
met in Wroclaw, Poland and adopted a Resolution to set up a "joint
EU forum on data protection in police and judicial cooperation
matters (data protection in the third pillar)". The Resolution
says that in contrast to the "first pillar" (economic
and social issues) where the Article 29 Working Party is in place,
there is no equivalent to cover the "third pillar".
The three joint supervisory bodies covering Europol, Schengen
and Eurojust have specific mandates and "a broader approach
is required to secure a uniform level of data protection safeguards
for the whole area of police and judicial cooperation".
The creation of a parallel group to the Article 29 Working Group
covering the "third pillar" would fill a gap in the
role of data protection commissioners. However, it is only part
of the answer as the Opinions of the Article 29 Working Party
are often simply ignored by the Council and Commission. European
Parliament reports do take notice of the Working Party's Opinions
but at present their views on "third pillar" issues
are also routinely ignored.
The three supervisory bodies (Europol, Eurojust and Schengen)
have submitted evidence to the UK House of Lords Select Committee
on the European Union's inquiry into EU counter-terrorism activities.
They say that "large quantities of personal data for intelligence
and law enforcement agencies" are being processed "in
the fight against terrorism and serious crime". Recent proposals
involve the:
"processing of personal data from different sources
on an unprecedented scale"
The retention of communications data and the passing of passenger
data to the USA are examples they say of a:
"new trend involving the collection of information
on individuals (and not only suspects)".
The EU supervisory bodies say that the gathering of data on individuals
is not isolated to one or two agencies but "involves a huge
number of agencies throughout the EU". Their experience
in trying to assess the Europol-USA agreement showed that trying
to limit the number of agencies who have access to personal data
is difficult if not impossible:
"in the USA some 1,500 authorities on Federal, State
and community level are involved in dealing with criminal offences
including terrorism"
The exchange of data on the scale proposed: "often involving
processing of information on those who are not suspected of any
crime" requires, they say, "purpose restriction"
(ie: that data collected for one purpose cannot be use for another)
and supervision to ensure compliance with legal instruments.
These limitations do not exist at present.
They conclude that a "specific set of data protection rules
for police and intelligence authorities" has to be put in
place. There needs to be a common legal basis in every member
state - as existing national data protection authorities "have
different competencies in the field of law enforcement"
- and sufficient funds and staff to ensure they have the capacity
to do their work.
How will the Council and Commission respond?
The Council of the European Union (then 15 governments) set up
a working party on data protection in the "third pillar"
in May 1998. The "Action Plan of the Council and the Commission
on how best to implement the provisions of Amsterdam establishing
an area of freedom, security and justice" (13844/98) said
that data protection issues in the "third pillar" should
be: "developed within a two year period" (IV.47(a)).
Not until August 2000 was a draft Resolution drawn up by the
Working Party, this was revised five times, the last being on
12 April 2001 under the Swedish Presidency of the EU (6316/2/01)
when agreement appeared to have been reached and the Article
36 Committee was asked to address outstanding reservations. From
this
point on there has been silence - and the Working Party was abolished
in 2001 when the Council was restructured to “streamline”
decision-making.
The European Commission has produced a Communication on "enhancing
access to information by law enforcement agencies" (COM
(2004) 429) - this was presented to the full Commission meeting
(14.5.04) with the addition to the title of "and related
data protection issues" which was dropped. The Communication
says a Framework Decision will be presented to establish common
standards for Title VI (TEU, "third pillar") but these
will be not to establish the rights of individuals but to:
"empower access to all relevant law enforcement data
by police and judicial authorities.. for the purpose of cooperation
to prevent, detect, investigate and prosecute crime and threats
to security"
and to:
"reduce the practical difficulties in information
exchange between Member States on the one hand and Member States
and third countries on the other"
All this is to be "in accordance with fundamental rights"
- which on the evidence of measures taken since 11 September
2001 is an empty promise.
Mr Franco Frattini, the new Commissioner for "Justice, Freedom
and Security" (the new Commission euphemism for the "Area
of Security, Freedom and Justice"), addressed the issue
at a meeting on the EU Joint Supervisory authorities at a meeting
in Brussels on 21 December. He said the Commission was committed
to safeguarding "the commitments" to data protection
in the Charter and the Treaty and "cooperation with the
agencies safeguarding these rights" - and asks the question:
"What new balances will it be necessary to find between
privacy and security?"
He agreed with the authorities that a new framework was needed,
taking "account of the times we are living in". The
current lack of "coherence" had led to:
"some of the supposed obstacles thrown up by the notion
of privacy"
Mr Frattini went on to say that the Tampere Summit (1999) stressed
the need for "coherent action to promote access to available
databases and information sharing between the authorities concerned"
and now the "Hague Programme" had introduced "the
principle of availability".
The questions to be tackled include:
1) "adapting the principles to the objectives pursued,
for example, in the case of information sharing the principle
set out in the Hague Programme" (ie: availability)
2) "developing special rules governing the transfer of data
to third countries and other bodies, incorporating the principle
that information received may be passed on with the prior consent
of the party forwarding it"
This would mean, under the "principles of availability",
that any agency in the EU could agree with the USA that it can
pass data on to all the agencies it wants (some 1,500) to use
for their own purposes. The "principle of availability"
and the "principle that information received may be passed
on" utterly undermines any concept of data protection which
requires that data can only be collected for a specific, stated,
purpose and cannot be used or added to for any other purpose.
Once this principle is breached the rights of the individual
(and of privacy) disappear because there is no way to track who
has data on them and how it has been used or amended.
Hundreds of measures have been put in place under the "third
pillar" since 1976 - the Trevi acquis (1976-1993), then
the Maastricht acquis (1993-1999) and currently the Amsterdam
acquis (1999 ongoing, which also incorporates the Schengen acquis)
- and still there are no data protection provisions or meaningful
supervision. Now new measures are on the table to enact the so-called
"principle of availability" (Hague programme) and the
"principle that information received may be passed on"
(Commission, Mr Frattini).
Tony Bunyan, Statewatch editor, comments:
"When the Commission and the Council finally get around
to "data protection" it will be tailored to ensure
the smooth-running of the powers, practices, databases and "data
exchanges" of security and law enforcement agencies not
those of the individual. In the "times we are living in"
will data protection become a meaningless concept?"
This article first appeared in Statewatch
bulletin, vol 14 no 6
Spotted an error? If you've spotted a problem with this page, just click once to let us know.